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Welcome to the Technical Exploration Center 





e Introductions 

e Access restrictions 
e Restrooms 

e Emergency Exits 


® Smoking Policy 





e Breakfast/Lunch/Snacks — location and times 


e Special meal requirements? 





© 2007 IBM Corporation 





POT Objectives 


By the end of this session you will: 
® Understand the web application environment 


® Understand and differentiate between network and application level 
vulnerabilities 


Understand where the vulnerabilities exist 


® Understand how to leverage AppScan to perform an automated scan for 
vulnerabilities 
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Introductions 





e Please introduce yourself 


e Name and organization 


e Current integration 
technologies/tools in use 





What do you want out of 
this Exploration session? 


‘ one A = 
z : -_ 
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Agenda 


e Introductions & facilities 


e Security Landscape 


e Vulnerability Analysis 
» Top Attacks Overview 
» Cross Site Scripting 
» Hands on Labs 1-2 


e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 


e Automated Vulnerability Analysis 
>» AppScan Overview 
» Hands on Lab 6 
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The Alarming Truth 


“Approximately 100 million Americans have been informed that they have suffered a 
security breach so this problem has reached epidemic proportions.” 
Jon Oltsik — Enterprise Strategy Group 


“Up to 21,000 loan clients may have had data exposed” 
Marcella Bombardieri, Globe Staff/August 24, 2006 


“Personal information stolen from 2.2 million active-duty members of the military, 
the government said...” 
New York Times/June 7, 2006 


“Hacker may have stolen personal identifiable information for 26,000 employees...” 
ComputerWorld, June 22, 2006 


sj ~~ 





© 2007 IBM Corporation Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan 





Why Application Security is a High Priority 


Web applications are the #1 focus of hackers: 
> 75% of attacks at Application layer (Gartner) 
> XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre) 


Most sites are vulnerable: 

>» 90% of sites are vulnerable to application attacks (Watchfire) 

> 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec) 
> 80% of organizations will experience an application security incident by 2010 (Gartner) 


Web applications are high value targets for hackers: 
> Customer data, credit cards, ID theft, fraud, site defacement, etc 


e Compliance requirements: 


> Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA, 
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Building Security & Compliance into the SDLC 














Enable Security 
to effectively 
drive 
remediation into 
development 


| Developers 








vulnerabilities 
are addressed 





efore 
applications 
Developers Provides Developers and Testers ae put into 
with expertise on detection and production 


remediation ability 


fe o S 
to OS 
oS ee 





© 2007 IBM Corporation Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan 





High Level Web Application Architecture Review 


Customer 


Sensitive 
data is 
App is deployed 
here 


stored here 





&/ 


—.—_Y 





Firewall | : 
Client Tier ‘ J : ' Databases 
(Browser) Web Servers 3 Database 
va 3 (Presentation) PRR Net 
! (Business 
Protects 
Transport Protects | Protects Network | 


Logic) ~ 
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Middle Tier 


Data Tier 
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- Network Defenses for Web Applications 





Firewall Intrusion Intrusion Application 
Detection Prevention Firewall 
System System 








System Incident Event Management (SIEM) 


eT Le 
Y / " 
eg RSs 
ad — 
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Web Application Environment 





Web Application Scanners 


{ 


y aw 


Web Server 


Web Application 


Network 


Scanners — 


Database Operating System 


1 I 


Database Scanners 





Host Scanners 
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—4@| Where are the Vulnerabilities? 








Code Scanning 


i Client-Side Custom Web Services 
Emerging Tech 









Fortify Web Applications 
Ounce Labs _ 
Secure Software Third-party Components 
Klockwork 
Parasoft 







Network 






Vs AB ¢ 
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Agenda 


e Introductions & facilities 
e Security Landscape 


e Vulnerability Analysis 


>» Top Attacks Overview 
>» Hands on Labs 1-2 


e Vulnerability Analysis (continued) 
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eI" software 





Se 


Secunity 


Ce =—s 


% of Attacks % of Dollars 













v 75% of All Attacks on Information Security 
Are Directed to the Web Application Layer 






2l3 of All Web Applications Are Vulnerable d 





What is a Web Application? 


" @ The business logic that enables: 
» User's interaction with Web site 
> Transacting/interfacing with back-end data 
systems (databases, CRM, ERP etc) 
e Inthe form of: 


> 3rd party packaged software; i.e. web 
server, application server, software 
packages etc. 


» Code developed in-house / web builder / 
system integrator 





Input and Output flow through each layer of the application 


A break in any layer breaks the whole application 
| n 
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software 


security Defects: Those | manage vs. Those | own 


Cause of Defect 


Location within 
Application 


Type(s) of Exploits 
Detection 


Business Risk 


Cost Control 


© 2007 IBM Corporation 


Infrastructure Vulnerabilities 
or Common Web Vulnerabilities 
(CWVs) 


Insecure application development by 
3 party SW 


3 party technical building blocks or 
infrastructure (web servers,) 


Known vulnerabilities (patches 
issued), misconfiguration 


Match signatures & check for known 
misconfigurations. 


Patch latency primary issue 


As secure as 3" party software 


Application Specific 
Vulnerabilities (ASVs) 


Insecure application development In- 
house 


Business logic - dynamic data 
consumed by an application 


SQL injection, path tampering, Cross site 
scripting, Suspect content & cookie 
poisoning 


Requires application specific knowledge 


Requires automatic application lifecycle 
security 


Early detection saves $$$ 
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OWASP and the OWASP Top 10 list 


e Open Web Application Security Project — an open organization dedicated to fight 
insecure software 


e “The OWASP Top Ten document represents a broad consensus about what the 
most critical web application security flaws are” 


e We will use the Top 10 list to cover some of the most common security issues in 
web applications 
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(ETTEET software 
The OWASP Top 10 list 


Application Threat Negative Impact Example Impact 


Cross Site scripting Identity Theft, Sensitive Information Hackers can impersonate legitimate users, and 
Leakage, ... control their accounts. 

Injection Flaws Attacker can manipulate queries to the | Hackers can access backend database 
DB / LDAP / Other system information, alter it or steal it. 

Malicious File Execution Execute shell commands on server, up__| Site modified to transfer all interactions to the 
to full control hacker. 


Insecure Direct Object Attacker can access sensitive files and | Web application returns contents of sensitive file 
Reference resources instead of harmless one) 





Cross-Site Request Forgery Attacker can invoke “blind” actions on Blind requests to bank account transfer money to 
web applications, impersonating as a hacker 


trusted user 


Information Leakage and Attackers can gain detailed system Malicious system reconnaissance may assist in 

Improper Error Handling information developing further attacks 

Broken Authentication & Session tokens not guarded or Hacker can “force” session token on victim; 

Session Management invalidated properly session tokens can be stolen after logout 

Insecure Cryptographic Weak encryption techniques may lead Confidential information (SSN, Credit Cards) can 

Storage to broken encryption be decrypted by malicious users 

Insecure Communications Sensitive info sent unencrypted over Unencrypted credentials “sniffed” and used by 
insecure channel hacker to impersonate user 

Failure to Restrict URL Access | Hacker can access unauthorized Hacker can forcefully browse and access a page 
resources past the login page 


a a ST I I a a a aT ee 





1. Cross-Site Scripting (XSS) 





e What is it? 


» Malicious script echoed back into HTML returned from a trusted site, and runs under trusted 
context 


e What are the implications? 
» Session Tokens stolen (browser security circumvented) 
» Complete page content compromised 
» Future pages in browser compromised 
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Demonstration — Cross Site Scripting 


e Main points covered in the 
demo or video: 

» Locating an a place where 
user input which is echoed 
back to the browser 

» Seeing if the user input is 
echoed back ‘as-is’ or if it is 
properly encoded 

» Exploiting the vulnerability 





fa 
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XSS Aare | 














@-»-@ 
g 








Search Results 







No results were found for the query: 


HTML code: 


| 
<p>No results were found for the query:<br /><br /> 






| 





<span id="_ctl0__ctl0_ Content Main 1blSearch">———b&k/ span>4 


Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 


iM) 





Graf. |e @ & 
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XSS Example II 


earch.aspx?txtSearch F <script>alert(document. cookie) </script> 5000] 
“a 
Sign In | Contact Us | Feedback | Search i oe 4 


AltoroMutual_» & oF 


@_onuine eamanaLocin 


ee ike Search Results 








4-3 -@Co ff 

















* 
* 
. i The page at http://www.testfire.net says: 
* 
* 





* 
e In R ions 
e Press Room 
e Careers 
Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 
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XSS — Details 


e Common in Search, Error Pages and returned forms. 
>» But can be found on any type of page 


e Any input may be echoed back 
» Path, Query, Post-data, Cookie, Header, etc. 


e Browser technology used to aid attack 
» XMLHttpRequest (AJAX), Flash, IFrame... 


e Has many variations 
>» XSS in attribute, DOM Based XSS, etc. 





© 2007 IBM Corporation 


Cross Site Scripting — The Exploit Process 












Evil.org 


5) Evil.org uses stolen 
session information to 
impersonate user 


1) Link to bank.com 
sent to user via 
E-mail or HTTP 


4) Script sends user’s 
cookie and session 
information without the user's 
consent or knowledge 










2) User sends script embedded as data 
» eee 
pa 3) Script/data returned, executed by browser 
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Exploiting XSS 


e If | can get you to run my JavaScript, | can... 
» Steal your cookies for the domain you’re browsing 
» Track every action you do in that browser from now on 
» Redirect you to a Phishing site 


» Completely modify the content of any page you see on this domain 


» Exploit browser vulnerabilities to take over machine 
Puc 


e XSS is the Top Security Risk today (most exploited) 


© 2007 IBM Corporation 








Agenda 


e Introductions & facilities 
e Security Landscape 
e Vulnerability Analysis 


» Top Attacks Overview 
>» Hands on Labs 1-2 


e Vulnerability Analysis (continued) 
>» Hands on Labs 3-5 


e Automated Vulnerability Analysis 
>» AppScan Overview 
» Hands on Lab 6 
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Hands-on Labs 





Lab 1 — Profile Web Application 


Lab 2 — Steal Cookies 





Lab 3 — Login without Credentials 


Lab 4 — Steal USernames and Passwords 


Lab 5 — Logging into the Administrative Portal 


Lab 6 — Automated Scan of Website 
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Lab 1 Profile Web Application 


e The Goal of this lab is to profile the demo.testfire.net application 





e Identify the Lab Workbook and where to start (page #), where to stop (page #) 





A : - A 
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Lab 2 Steal Cookies 


e The goals of the lab is to utilize a Cross Site Scripting vulnerability on the 
demo.testfire.net application in order to access cookies on a target user’s browser 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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Agenda 


e Introductions & facilities 
e Security Landscape 


e Vulnerability Analysis 
>» Top Attacks Overview 
» Hands on Labs 1-2 





@ nerabili ANG j ontinuec 
e Automated Vulnerability Analysis 


>» AppScan Overview 
» Hands on Lab 6 
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2 - Injection Flaws 





© What is it? 
» User-supplied data is sent to an interpreter as part of a command, query or data. 


e What are the implications? 
» SQL Injection — Access/modify data in DB 
» SSI Injection — Execute commands on server and access sensitive data 


» LDAP Injection — Bypass authentication 
Pa 
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SQL Injection 


e User input inserted into SQL Command: 
> Get product details by id: 
Select * from products where id=‘SREQUEST{“id’]; 
» Hack: send param id with value ‘ or ‘1’="1 
> Resulting executed SQL: 
Select * from products where id=" or ‘1’='1’ 
» All products returned 


SI) F lace 
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SQL Injection Example | 


@#4-n3-@42o3 @ 











[-] http://www.testfire.net/bank/login.aspx 





“oJ 


m ONLINE BANKING LOGIN 











PERSONAL : 2 = 
os Depdett product Online Banking Login 
° Checking 
e Loan Products 
° Cards Username: = | 
° Investments & 
Insurance Password: Pare _ 
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SQL Injection Example I! 


€@- : ~ @ fab [4] http: //www.testfire.net/bank/login.aspx >| & 


Sign In | Contact Us | Feedback | Search es Ce) * 


AltoroMutual_» & za 


An Error Has Occurred 

















Summary: 


Syntax error (missing operator) in query 





Error Message: 


System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression ‘username = ''"' AND password = 
‘asdf. at System.Date.OleDb.OleDbCommand.ExecuteCommandtTextForSingleResult(tagDBPARAMS dbParams, Object& 
executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommandtText({Object& executeResult) at 
System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) at 
System.Data.CleDb.OleDbCommeand.ExecuteReaderiInternal( CommandBehavior behavior, String method) at 
System.Data.OleDb.OleDbCommand.ExecuteReader{CommandBehavior behavior) at 
System.Data.OCleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader{CommandBehavior behavior) at 
System.Data.Common.DbDataeAdapter.FilllInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 
maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at 
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, 
IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, String 
srcTable) at Altoro.Authentication.ValidateUser({String uName, String pWord) in 
d:\dovmloads\AltoroMutual_vS\website\bank\login.aspx.cs:line 68 at Altoro.Authentication.Page Load(Object sender, EventArgs 
e) in d:\dovmloads\AltoroMutual_vw5\website\bank\login.aspx.cs:line 32 at 
System.Web.Util.CalliHelper.EventArgFunctionCaller{IntPtr fp, Object o, Object t, EventArgs e) at 
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at 
System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at 
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 
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SQL Injection Example - Exploit 


<@ ~ > ~ @ ae) tah [-) http: //www.testfire.net/bank/login.aspx 


Signin | Contact Us| Feedback| Search|  —s___—i ‘Al 
AltoroMutual_» 


G onuneeawancioain [eensowal —~=~*~“‘é~dstC AMOUNT ———*(|'CANSHOE ALTORO MUTUAL 























¢ Deposit Product Online Banking Login | 
© Checking | 
* Saris sicasiaiial 

; Teaeane Password: | 

© Other Services 7 
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SQL Injection Example - Outcome 








<< ~- > ~ @ Kod tt [4] http://www. testfire.net/bank/main.aspx 

















Hello, John Smith 


Welcome to Altoro Mutual Online. 





View Account Details: 1001160140 Checking »| 





Congratulations! 


You have been pre-approved for an Altoro Gold Visa with a credit limit of $10000! 


Click Here to apply. 





Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 

' The Altoro Mutual website is published by Watchfire, Inc. for the sole purpose of demonstrating the effectiveness of Watchfire products ‘ 
‘ in detecting web application vulnerabilities and website defects. This site is not a real banking site. Similarities, if any, to third party ‘ 
| products and/or websites are purely coincidental. This site is provided “as is" without werranty of any kind, either express or implied. : 
‘ Watchfire does not assume any risk in relation to your use of this website. For additional Terms of Use, please go to ‘ 
‘ http: //vwav.watchfire.com/statements/terms.aspx. ‘ 
‘ Copyright © 2007, Watchfire Corporation, All rights reserved. ‘ 





to 
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Demonstration — SQL Injection 


e Main points covered in the 
demo or video: 
> How to find a SQL injection 
vulnerability 


> How to exploit a SQL 
injection vulnerability 





We & EZ 


oa 
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Injection Flaws (SSI Injection Example) 


Creating commands from input 











Street Address, Intersectson or Airport Code 


fk !--Hexec cat /ete/ssi/private.pem— 
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CETEIEIN software 


3 Netscape 


~ A at 
RoTyeT a 
wat KE http: 44vwww.123.com/maps. html > qa 
Sg s Ss 5) 3 s =) 





WrLKI7 NnUWhgpg/k93E/KAAQWSszTvh5Nq7742V LsjwvpIWfgpu 
{£J0IMKaEtBGOiF 48z9kiMxSqhpaK W VuljoRtRLp0IqoZPWOSNVE0z2KC83kcG. 


We need a city, state; city, state zip; or a zip to generate a map 


Driving Directions 


Street Address, Intersection or Airport Code 





<!--#exec /bin/cat /fetc/ssl/private 


City, State Zip or a ZIP 




















3 - Malicious File Execution 
e What is it? 
» Application tricked into executing commands or creating files on server 


e What are the implications? 


» Command execution on server — complete takeover 
» Site Defacement, including XSS option 


. SI) FP nee 
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Demonstration — Malicious File 





e Main points covered in the 
demo or video: 


>» Demonstrating how a 
Malicious File Exploit attack 
can be used to get access 
to system files 





oa 
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Malicious File Execution — Example | 
@ - D- S © GF [L htwo:snmw.restfrenetifeedbackasox | |B) [IG] co0ve 




















































































































“| 
& ONLINE i ee aes Rs en ee 
BANKING LOGIN Tamper Popup 
PER. 
. _ Post Parameter Value 
* 
* 
* 
* 
1SO-8859-1,utf-8;q=0.7,*;q=0. = 
. i 300 
keep-alive 
SMALL BUSINESS ————E 
© Deposit i ASP.NET_SessionId=adp4vz550 
* 
* 
* 
zs =_ 
* 
INSIDE ALTORO 
MUTUAL 
e« About Us 
eee 
¢ Locations 
e Investor 
“| 


DO Al-tinn- 


a 
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Malicious File Execution — Example cont. 





Tamper Popup 


http://www. testfire.net/comment.aspx 
Request HeaderName ___———_-RequestHeader Value 
www. testfire.net 
Mozilla/5.0 (Windows; U; Windov 
text/xml, application/xml,applicat 
en-us,en;q=0.5 
gzip,deflate 
ISO-8859-1,utf-8;q=0.7,*;q=0. 


















































<2@ Page Lanquage="C#" %> 
<% Response.Write (System.I0.File.ReadAliText 
http://www. testfire.net/feedbac ("c:/windows/system32/drivers/etc/hosts")); > 











amUserInfo=UserName =JyBvcé 
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Malicious File Execution — Example cont. 
GF http:/iwww.testfirenetfmyeviifie.aspx) | 





asdf. asdf. asdf. = Copyright (c) 1993-1999 Microsoft Corp. = = This is a sample HOSTS file used by Microsoft TCP/IP for 
Windows. = = This file contains the mappings of IP addresses to host names. Each = entry should be kept on an individual line- 
The IP address should = be placed in the first column followed by the corresponding host name. = The IP address and the host 
name should be separated by at least one = space. = = Additionally. comments (such as these) may be inserted on individual = 


lines or following the machine name denoted by a'=' symbol. = = For example: = = 102.54.94.97 rhino acme.com = source server 
= 38.25.63.10 x_acme.com = x client host 127.0.0.1 localhost 





© 2007 IBM Corporation 


eee the Value of Verifying Web Application Security Using IBM Rational AppScan 


4 - Insecure Direct Object Reference 





e What is it? 
» Part or all of a resource (file, table, etc.) name controlled by user input. 


e What are the implications? 
» Access to sensitive resources 
» Information Leakage, aids future hacks 


fa 
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Demonstration — Insecure Direct Object References 





e Main points covered in the 
demo or video: 


>» Demonstrating how to 
extract files from the host 
system using the poison 
null byte attack 





We & EZ 


oa 
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INSTI 
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Deposit Products 


At Altoro Mutual, we offer business deposit products 
designed to help you manage your money and grow your 
business including: 


Commercial Savings Accounts 
Commercial Money Market Accounts 
Time Deposits 

High Yield Investments 


For more information about these products, please 
contact Altoro Mutual. 


Note: all Altoro Mutual business deposit accounts include 
free access to Altoro Mutuals secure, Online Banking site, 
where you can view account information, make payments 
and transfers and more. 


Statement | © 2007 Altoro Mutual, Inc. 
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Lill 





Rational. Biri 





Insecure Direct Object Reference — Example Cont. 


~~ © © B [LF htte:/www.testfire.net/default.aspxfcontent=..ooot.ini ) | + |B S 
Sign In | Contact Us | Feedback | Search ae ee ra 


AltoroMutual_» GW: k 
SANKING LOGIN 


Error! File must be of type txt or htm 








co} 











tll 


il 
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(CETEEEN software 
Insecure Direct Object Reference — Example Cont. 













“| 






[boot loaderjtimeout=30default=multi(O)disk(O)rdisk(0)partition({1)\WINDOWS[operating 
systems]multi(O)disk(O)rdisk(0)partition({ 1)\WINDOWS="Microsoft Windovs XP Professional" 
/noexecute=optin /fastdetect 


till 


Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc 

ee ee ee ee ee ee ee ee ee 7 

' ' 

' ' 

: The Altoro Mutual website is published by Watchfire, Inc. for the sole purpose of demonstrating the effectiveness of Watchfire : | 
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5 - Information Leakage and Improper Error Handling 


e What is it? 
>» Unneeded information made available via errors or other means. 


e What are the implications? 
» Sensitive data exposed 
» Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.) 
» Information aids in further hacks 
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Information Leakage - Example 


e > e@ KaF fab [-) http://www. testfire.net/bank/login.aspx >| 


Sianin | Contact Us | Fasdback | search |__| 
AltoroMutual_» & oe 


Online Banking Login 


x 
ba 
J 
Username: | . 
. 
{ 






















m ONLINE BANKING LOGIN 











Password: | 





<hi>Online Banking Login</hi> 


<!-- To get the latest admin login, please contact SiteOps at 415-555-6159 -- 
<p><span id="_ctlo|_ct10_ Content Main message" 
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Improper Error Handling - Example 


<@ ~~ @ fab [-) http://www. testfire.net/bank/login.aspx vy e 


Sign In | Contact Us | Feedback | Search or to 


AltoroMutual_» & Tash, 


An Error Has Occurred 























Error Message: | 


System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression ‘username = "' AND password = 
‘asdf. at System.Data.OleDb.OleDbCommand.ExecuteCommandtTextForSingleResult(tagDBPARAMS dbParams, Object& 
executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommeandtText({Object& executeResult) at 
System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) at 
System.Datae.OleDb.OleDbCommand.ExecuteR eaderiInternal( CommandBehavior behavior, String method) at 
System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior) at 
System.Datae.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader{CommandBehavior behavior) at 
System.Date.Common.DbDateAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 
maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at 
System.Date.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, 
IDbCommeand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, String 
srcTable) at Altoro.Authentication.ValidateUser({String uName, String pWord) in 
d:\dovmloads\AltoroMutual_wS\website\bank\login.aspx.cs:line 68 at Altoro.Authentication.Page Load(Object sender, EventArgs 
e) in d:\dovmloads\AltoroMutual_v5S\website\bank\login.aspx.cs:line 32 at 

System.Web. Util. CallihHelper.EventArgFunctionCaller{IntPtr fp, Object o, Object t, EventArgs e) at 

System.Web. Util.Calli=ventHandlerDelegateProxy.Callback({Object sender, EventArgs e) at 
System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at 
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 
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Information Leakage — Different User/Pass Error 


m ONLINE BANKING LOGIN | PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUA 


PERSONAL 


Online Banking Login 
Login Failed - Invalid Password 


aaa Username: 
* Other Services Password: =f 


Pesasonat——=SCSC*d;i ns INSIDE ALTORO HUT 


aes Online Banking Login 
Checking 
Loan Products 
Cards 
Investments & 


a Username: 
Other Services 
=a Password: 


Login Failed - Invalid Username 


SMALL BUSINESS 
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6 - Failure to Restrict URL Access 


e What is it? 


» Resources that should only be available to authorized users can be accessed by forcefully 
browsing them 


e What are the implications? 
» Sensitive information leaked/modified 
» Admin privileges made available to hacker 


SI) F lace 


i 
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Failure to Restrict URL Access - Admin User login 





m ONLINE BANKING LOGIN 


PERSONAL 


asciale Peace Online Banking Login 


Checking 
Loan Products 


Cards Username: admin 


Investments & 


Insurance Password: rae 
@ Other Services 
ae ee ee Login 


SMALL BUSINESS 





m MY ACCOUNT 


I WANTTO... . 
« ViewAccountsummey | Hello, Admin User 
e View Recent 
Transactions Welcome to Altoro Mutual Online. 
@ Transfer Funds 
h Arti View Account Details: | wl 
Language 


ADMINISTRATION 
¢ View Application Valu 
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Simple user logs in, forcefully browses to admin page 
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m ONLINE BANKING LOGIN 


Online Banking Login 


Add an account to an existing user. 


Account Types: 


100116014 jsmith | 
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Failure to Restrict URL Access: Privilege Escalation Types 





e Access given to completely restricted resources 
» Accessing files that shouldn’t be served (*.bak, “Copy Of”, *.inc, *.cs, ws_ftp.log, etc.) 


e Vertical Privilege Escalation 
» Unknown user accessing pages past login page 
» Simple user accessing admin pages 


e Horizontal Privilege Escalation 
» User accessing other user’s pages 
» Example: Bank account user accessing another’s 
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Demonstration — Failure to Secure URL Access 


e Main points covered in the 
demo or video: 
>» How to use forceful 


browsing to the access the 
administrative page 





WS & EZ 
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Agenda 


e Introductions & facilities 
e Security Landscape 
e Vulnerability Analysis 


>» Top Attacks Overview 
>» Hands on Labs 1-2 


e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 


e Automated Vulnerability Analysis 


>» AppScan Overview 
» Hands on Lab 6 
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Hands-on Labs 3-5 


Lab 1 — Profile Web Application 
Lab 2 — Steal Cookies 
Lab 3 — Login without Credentials 


Lab 4 — Steal USernames and Passwords 





Lab 5 — Logging into the Administrative Portal 





Lab 6 — Automated Scan of Website 
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Lab 3 overview Login without Credentials 


e The goal of the lab is to use locate a SQL injection vulnerability and exploit it to log 
into the demo.testfire.net application without a password 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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Lab 4 overview — Steal USername and Password 


e The Goal of this Lab is to exploit the SQL Injection vulnerability further in order to 
extract all the usernames and passwords from the demo.testfire.net application 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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Lab 5 overview — Logging in to Admin Portal 


e The Goal of this lab is to use Information Leakage and Direct Access to URLs to find 
and log into the administrative portal 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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Agenda 


e Introductions & facilities 
e Security Landscape 


e Vulnerability Analysis 
>» Top Attacks Overview 
» Hands on Labs 1-2 


e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 


e Automated Vulnerability Analysis 
» AppScan Overview 


>» Hands on Lab 6 
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e What is it? 


» AppScan is an automated tool used to perform vulnerability 
assessments on Web Applications 


e Why do | need it? 
» To simplify finding and fixing web application security problems 
e What does it do? 


» Scans web applications, finds security issues and reports on them in 
an actionable fashion 


e Who uses it? 
» Security Auditors — main users today 
» QA engineers — when the auditors become the bottle neck 
» Developers — to find issues as early as possible (most efficient) 
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Web Application Security Testing Across the SDLC 











es 


ASE QuicksScan Appscan QA Appscan Audit Appscan MSP 


Quality Security 
Assurance Audit 


Test Applications Test Appl 


As Developed 





software 


Third-party Components 
Web Server Configuration 
Web Server 
Database 


Applications 


Operating System 


Network 
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How does AppScan work? 


e Approaches an application as a black-box 
e Traverses a web application and builds the site model 
e Determines the attack vectors based on the selected Test policy 


e Tests by sending modified HTTP requests to the application and examining the HTTP 
response according to validate rules 


Web Application 





HTTP Request 
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AppsScan Goes Beyond Pointing out Problems 








Tae ae Tod ela 
vulnerabilities 
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Actionable Fix Recommendations 





, AppScan 7.5 Demo Scan Lscan - ' 


File Edit View Scan Tools Help 











Dawes O scan + © Stop Fj Manual Explore | 3@ Scan Configuration [2] ScanLog J | [ii] Report ®@ Update 
i (4) My Application (53) 


Remediation Tasks 


& 


Application Data 


|=) Visited URLs 108/108 |) Completed Tests 14194/14194 
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>|) feedback aspx (1) 
|g) search aspx (1) 


http://demo testfire net/ (53) 


7/2) 
~~) cgi.exe (1) 





WD Scan is Incomplete 
Arranged By: Seventy Highest on top 


& 53 Security Issues (368 variants) for ‘My Application’ 





=] @ Blind SQL Injection (4) 

http://demo testfire.net/bank/account.aspx (1) 
http://demo testfire net/bank/ogin aspx (2) 
http://demo testfire.net/bank/transaction.aspx (1) 
@ Cross-Site Scripting (5) 

@ Format String Remote Command Execution (1) 

@ HTTP Response Spitting (1) 

@ SQL Injection (6) 

@ XPath Injection (1) 

VY Cookie Poisoning SQL Injection (1) 

















BAAS 
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y Blind SQL Injection 
\ 


There are several issues whose remediation lies in sanitizing user input. 

By verifying that user input does not contain hazardous characters, itis possible to prevent 
malicious users from causing your application to execute unintended operations, such as 
launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run 
various operating system commands etc. 


Itis advised to filter out all the following characters: 
[1] | (pipe sign) 
[2] & (ampersand sign) 
[3] ; (semicolon sign) 
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Appscan with QA Defect Logger for ClearQuest 







AS7.5 Demo Scan 1.scan - Watchfire AppScan 
File Edit View Scan Tools Help 


L) B bel & | scan ~ Qstop FYmanual Explore | 3 Scan Configuration [=]ScanLog y | [il| Report ®% Update 








View (a) My Application (54) 


4) Scan is Incomplete 


More Information 
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a -€) admin (1) 
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8} images (1) 


& @ Cesc 
& @ Format String R 
& @ HTTP Respo 
 @ Session Not In’ 
& @ SQL Injection 
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A egi.exe (1) (&) 54 Security Issues (370 variants) for ‘My Application’ 
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G Cross-Site Scripting 


% Severity: 
“> Type: 


* WASC Threat Classification: 


2 CVE Reference(s): 
* Security Risk: 
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Defect Details 






Credentials 









Usemame: 
















Password: 























Defect Details 














Summary: SQL Injection in http: //revelation/acmehackme/bank/login. aspx [Parameter passw)] 











id: 
Project: 
Severity: 
Priority: 





State: 
Keywords: 
Symptoms: 





































































Owner: | engineer v 
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Description 
SQL Injection 



















Application-level test 
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WASC Threat Classification: Command Execution: SQL Injection 











Security Risk: It is possible to view, modify or delete database entries and tables 
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Lab 6 overview 


e The goal of this lab is to use AppScan in order to automate the detection of 
vulnerabilities within a web application 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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session summary 





® Understand the web application environment 


Understand and differentiate between network and application level 
vulnerabilities 


® Understand where the vulnerabilities exist 
Hands on exercises to understand types of vulnerabilities 


® Hands on exercise to leverage automated scan for vulnerabilities 
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Questions 


S° (EAA 
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Next steps 





e Contact your Watchfire Account Representative to schedule a Vulnerability 
Assessment of one our your Applications 


oa 





© 2007 IBM Corporation Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan 





Reference materials 


e IBM.com 


> http://www-306.ibm.com/software/rational/welcome/watchfire/products.html 


© Copyright IBM Corporation 2007. All rights reserved. 


The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible 

for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or 
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials 

to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. This information is based on current IBM product plans and strategy, which are 
subject to change by IBM without notice. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or 
other factors, and are not intended to be a commitment to future product or feature availability in any way. 


IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, 
in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 
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We appreciate your feedback. 
Please fill out the survey form in order 
to improve this educational event. 





© 2007 IBM Corporation 





| IBM Software Group 





Hacking 101 


Click to add text 





software 


© 2007 IBM Corporation 





An IBM Proof of Technology 


oa 
Agenda 








e Introductions & facilities 








e Security Landscape 

e Vulnerability Analysis 
> Top Attacks Overview 
» Hands on Labs 1-2 

e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 

e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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a 
Welcome to the Technical Exploration Center 





e Introductions 

e Access restrictions 
e Restrooms 

e Emergency Exits 





e Smoking Policy 
e Breakfast/Lunch/Snacks — location and times 
e Special meal requirements? 
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ae 
POT Objectives 


By the end of this session you will: 
® Understand the web application environment 


® Understand and differentiate between network and application level 
vulnerabilities 


® Understand where the vulnerabilities exist 


Understand how to leverage AppScan to perform an automated scan for 
vulnerabilities 
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Introductions 


e Please introduce yourself 
e Name and organization 


e Current integration 
technologies/tools in use 





What do you want out of 
this Exploration session? 
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Agenda 





e Introductions & facilities 





e Security Landscape 








e Vulnerability Analysis 
» Top Attacks Overview 
» Cross Site Scripting 
» Hands on Labs 1-2 
e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 


e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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PS 
The Alarming Truth 





“Approximately 100 million Americans have been informed that they have suffered a 
security breach so this problem has reached epidemic proportions.” 
Jon Oltsik — Enterprise Strategy Group 


“Up to 21,000 loan clients may have had data exposed” 
Marcella Bombardieri, Globe Staff/August 24, 2006 


“Personal information stolen from 2.2 million active-duty members of the military, 
the government said...” 
New York Times/June 7, 2006 


“Hacker may have stolen personal identifiable information for 26,000 employees..” 
ComputerWorld, June 22, 2006 
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Why Application Security is a High Priority 





e Web applications are the #1 focus of hackers: 
> 75% of attacks at Application layer (Gartner) 
» XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre) 


e Most sites are vulnerable: 
» 90% of sites are vulnerable to application attacks (Watchfire) 
> 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec) 
» 80% of organizations will experience an application security incident by 2010 (Gartner) 


e Web applications are high value targets for hackers: 
» Customer data, credit cards, ID theft, fraud, site defacement, etc 


e Compliance requirements: 


> Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA, 
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March,2007: 


Sixty-six percent of vulnerabilities disclosed during this period affected Web 
applications. 





Seventy-seven percent of all easily exploitable vulnerabilities affected Web 
applications, and seven percent affected servers. 


With the advent of Windows Vista and the continued use of the Security 
Development Lifecycle, it is likely that Microsoft-authored code will become 
more difficult to exploit. As a result, attackers may turn their focus to common 
third-party applications that are authored by companies that have not employed 
the Security Development Lifecycle. These third-party applications may not use 
accepted best software development practices, such as secure design, secure 
coding practices, code reviews, or secure developer tools such as Microsoft’s 
Visual Studio.19 As a result, they may be less secure 


http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport 


September, 2006 Report: 


Seventy-eight percent of easily exploitable vulnerabilities affected Web 
applications. 


Web application vulnerabilities made up 69% of all vulnerabilities this period. 
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Building Security & Compliance into the SDLC 
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High Level Web Application Architecture Review 
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In a typical Web application security landscape, the user on the left-hand 
side interacts with the server environment, on the right. The data that is 
exchanged back and forth between the user and server environment 
might be encrypted using SSL, or it may not be, but it moves across the 
firewalls, intrusion detection systems, intrusion prevention systems, 
routers, switches to the web server on the other side. Note that it is the 
web application that facilitates the exchange of data between the server 
environment and the user. It is interesting to stop and note that while the 
data received from the client is not to be trusted, the web application 
itself is implicitly trusted by the backend environment and is permitted to 
communicate with everything from the database to an LDAP 
authentication system or to the core network. Let's take a little closer 
look at the network protections that might be associated with this 
exchange of data. 
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Network Defenses for Web Applications 





Firewall Intrusion Intrusion Application 
Detection Prevention Firewall 
System System 
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System Incident Event Management (SIEM) 
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The first barrier that an HTTP request encounters while crossing the 
network is a firewall. Firewalls are set up to allow outsiders access to 
specific resources, and to prevent them from accessing other resources. 
For example, an outside individual wouldn't be allowed to directly 
connect to a database, but they can make a request to a web server. 
This means the firewall would be configured to deny traffic on a standard 
database port 1443, but allow traffic through ports 80 and 443 - web 
application ports. This system is clearly no protection at all against 
malicious attacks. 


The next protection an HTTP request encounters is an intrusion 
detection system. The IDS has been set up to look for signatures in the 
traffic that might indicate an attack. For example, they may look for a 
SQL statement embedded within a request, or they might look for a script 
tag for indicates a potential XSS attack. The challenge with these 
systems is that if the request is encoded in some alternative format (say 
UTF-7) or perhaps the traffic is encrypted using SSL, the intrusion 
detection system is often not able to interpret or understand the 
requests. The IDS offers little to no protection against the web 
application attack. 


The next protection that an HTTP request might encounter is an intrusion 
prevention system or IPS. These systems are designed to explicitly 
block requests that are deemed to be malicious. It is very similar to the 
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If the web application must defend itself, let's take a very high level look 
at web application VA. This will consider the products that will be used 
to discover vulnerabilities within or related to the Web application. We 
will discuss these in the typical order of usage — not priority. 


The first product to be considered is the host-based VA product. These 
look for issues on the boxes. The reason why these are used first and 
are the largest expenditure in this world as the box requires an operating 
system and the operating system needs to be locked down. Host-based 
products ensure that shares, configuration and patches are properly 
implemented. There can be no web application without an operating 
system and web server. Protections for vulnerabilities and problems 
found by these products include configuration changes and patches. 


The second products we will consider are network scanners. As 
mentioned before, these products are not provided local credentials for 
the systems. Instead, they are used to scan the network, discovering 
devices (web servers in this case) and testing them for known 
vulnerabilities. For example, if you're running Apache 1.3.27, it is known 
to have current known vulnerabilities with negative content length buffer 
overflows. They also have some additional capabilities which we will 
discuss on the next slide. Network VA tools are usually used first as this 
is the most commonly used tool by the malicious individual. Thankfully, 
administrators also have access to this software and have considerable 
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Client-Side 


Where are the Vulnerabilities? 


Custom 
Web Applications 
Third-party Components 
Web Server Configuration 
Web Server 
Database 
Applications 
Operating System 


Network 





Web Services 








This security stack clearly depicts the framework of the network through 
to web application. What areas do each of the VA tools address? 


Let’s look at the network VA tools first. These do not have any 
permission on the operating system itself and includes products like 
Nessus, ISS Security Scanner, QualysGuard, and eEye Retina. These 
discover and search for vulnerabilities on the network (routers, switches, 
and firewalls) as well as web servers and known web applications. 


Host-based assessment products look at applications. (Remember that 
the operating system is really just a foundational application. ) 


Database assessment products are specialized host-based products 
requiring credentials, that consider specific issues found in databases — 
another form of application. 


Black-box application scanners consider everything at the top of this 
stack: from the web server to web server configuration, third party 
components and the web application itself. This might include client-side 
components such as JavaScript used in AJAX and Web 2.0, web 
services and service oriented architectures as well as the web 


application itself. 
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e Introductions & facilities 


e Security Landscape 





e Vulnerability Analysis 
> Top Attacks Overview 
» Hands on Labs 1-2 








e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 

e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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The Myth: “Our Site Is Safe” 





Security 


We Have Firewalls 
in Place 









We Audit It Once a Quarter 
with Pen Testers 





We Use Network 
Vulnerability Scanners 
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Every organization we visit, we hear this familiar sound...<read the 
slide>...but when we show them the following slide, they have a different 
perspective. 
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The Reality: Security and Spending Are Unbalanced 


% of Attacks % of Dollars 


Network 
Server 













75% of All Attacks on Information Security 
Are Directed to the Web Application Layer 


2'3 of All Web Applications Are Vulnerable 
Gartner 
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We all know that enterprise web site security is critical; what’s surprising is that 
the security risk and the associated level of spending to mitigate this risk are 


unbalanced. 


75% of attacks occur through web applications, yet only 10% of the security 


spending dollars are in this area. 


We've certainly seen our customer base become much more informed about 
the level of risk that web applications present, and adjust their spending 


accordingly 
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What is a Web Application? 








Input and Output flow through each layer of the application 
A 


break in any layer breaks the whole application 
Bra 
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If we look at the complexity of the web application, it is multi-layered and 
includes all the business logic that enables user's interaction with the 
web site and the transacting with the back-end data systems sitting 
behind the site. These applications come in the form of 3° party 
packaged software and code developed in-house. 


Even in a secure environment, so much has to go right for these layers 
to behave appropriately that it is amazing these sites work half the time!. 
(NEXT SLIDE) 
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Security Defects: Those | manage vs. Those | own 


Infrastructure Vulnerabilities 
or Common Web Vulnerabilities 
(CWVs) 


Application Specific 
Vulnerabilities (ASVs) 





Insecure application development by 


Cause of Defect 3” party SW 


Insecure application development In- 
house 





Location within 
Application 


3" party technical building blocks or 
infrastructure (web servers, ) 


Business logic - dynamic data 
consumed by an application 





Known vulnerabilities (patches 


Type(s) of Exploits issued), misconfiguration 


SQL injection, path tampering, Cross site 
scripting, Suspect content & cookie 
poisoning 





Match signatures & check for known 


Detection : ; 
misconfigurations. 


Business Risk Patch latency primary issue 


Requires application specific knowledge 


Requires automatic application lifecycle 
security 





Cost Control As secure as 3” party software 
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Early detection saves $$$ 


This chart details more of the differences between CWVs and ASVs and 
ultimately points out how an organization can most effectively reduce 


security defect costs. 


Basically, an organization has very little control over the costs to find and 
fix CWVs and a lot of control over the costs to find and fix ASVs. CWVs 
are a result of 3% party defects and as such can only be found once the 
application is in production. Because they are relatively easy to identify, 
and have patches issued for them that are publicly available their cost to 
the organization is relatively low in terms of finding and fixing. On the 
other hand, ASVs are defects introduced during the application 
development lifecycle, are very difficult to identify manually, and require 
the entire app lifecycle process for creating a fix, therefore, the ability to 


control the cost is relatively high. 


The cost to fix a vulnerability once it reaches deployments is 100 times 
greater than if it were caught and fixed in design. Because an ASV can 
be caught throughout the application lifecycle the organization has the 


ability to control this cost. 
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a 
OWASP and the OWASP Top 10 list 


e Open Web Application Security Project - an open organization dedicated to fight 
insecure software 

e “The OWASP Top Ten document represents a broad consensus about what the 
most critical web application security flaws are” 

e We will use the Top 10 list to cover some of the most common security issues in 
web applications 
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The OWASP Top 10 list 


PP er mes 


Cross Site scripting 


DE Ru Cad 


Identity Theft, Sensitive Information 
Leakage, ... 


ecu cM uted 


Hackers can impersonate legitimate users, and 
control their accounts. 





Injection Flaws 


Attacker can manipulate queries to the 
DB / LDAP / Other system 


Hackers can access backend database 
information, alter it or steal it. 





Malicious File Execution 


Execute shell commands on server, up 
to full control 


Site modified to transfer all interactions to the 
hacker. 





Insecure Direct Object 
Reference 


Attacker can access sensitive files and 
resources 


Web application returns contents of sensitive file 
(instead of harmless one) 





Cross-Site Request Forgery 


Information Leakage and 
Improper Error Handling 


Attacker can invoke “blind” actions on 
web applications, impersonating as a 
trusted user 


Attackers can gain detailed system 
information 


Blind requests to bank account transfer money to 
hacker 


Malicious system reconnaissance may assist in 
developing further attacks 





Broken Authentication & 
Session Management 


Session tokens not guarded or 
invalidated properly 


Hacker can “force” session token on victim; 
session tokens can be stolen after logout 





Insecure Cryptographic 
Storage 


Weak encryption techniques may lead 
to broken encryption 


Confidential information (SSN, Credit Cards) can 
be decrypted by malicious users 





Insecure Communications 


Sensitive info sent unencrypted over 
insecure channel 


Unencrypted credentials “sniffed” and used by 
hacker to impersonate user 





Failure to Restrict URL Access 





Hacker can access unauthorized 
resources 





Hacker can forcefully browse and access a page 
past the login page 





The OWASP Top 10 list, includes the following 10 common security 
issues, which we will cover in a moment. 
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L 
1. Cross-Site Scripting (XSS) 


e What is it? 





» Malicious script echoed back into HTML returned from a trusted site, and runs under trusted 


context 


e What are the implications? 
» Session Tokens stolen (browser security circumvented) 
» Complete page content compromised 
» Future pages in browser compromised 


© 2007 IBM Corporation 





A Cross Site Scripting attack, attempts to echo back a malicious script in the 
HTML returned from a trusted site. Since the script is echoed back from a 


trusted site, it runs in the context of that site. 


The implications of XSS are: 
Stealing HTTP session tokens 


Page content may be compromised (this may include “local” site defacement, or 


hijacking of the browser’s session using scripting) 


Future pages may be contaminated as well (by hijacking the session) 


Go to 'View-->Headers and Footers' to change this to match "Presentation" section title 


21 


An IBM Proof of Technology 





aaa 
Demonstration — Cross Site Scripting 


e Main points covered in the 
demo or video: 

» Locating an a place where 
user input which is echoed 
back to the browser 

> Seeing if the user input is 
echoed back ‘as-is’ or if it is 
properly encoded 

» Exploiting the vulnerability 
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[| 
XSS Example | 


@- ~@ @ [BO http: //www. testfire.net/search.aspx?txtSearch-fasdf_) [= LB) [IGeJeeosie 











\kag 
1 
nT 
(>| * 


Sign In | Contact Us | Feedback | Search| (asct_] 


AltoroMutual_» GBz Ee 7 


Search Results 










No results were found for the query: 


asdf =| 


HTML code: 


<p>No results were found for the query:<br /><br /> 


<span id="_ctl0__ctl0_Content_Main_1blSearch">—EBEK/ span: 





INSIDE ALTORO MUTUAL 
* About Us 
* Contact Us 
¢ Locations 
* Investor Relations 
. 


° Cereers 








Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 


G@ Find: i i 


© 2007 IBM Corporation 





Let’s take a look at the following banking web site — this site contains a search 
function, that allows users to search the site for specific text. If we type the 
string “asdf”, the response to the search will contain that string, inside the 
results page, in what we call “free HTML context”. 


What will happen if instead of typing “asdf’, we will type some JavaScript code? 


Let’s try to type the following JavaScript code: 
<script>alert(document.cookie)</script> 
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[| 
XSS Example II 


nm ta uw 
@- ~@ ft earch.aspx?txtSearchf <script>alert(document.cookie) </script> |Jr | Be | [Gl Q)|- 4x 
a 


AlteroMubual > GW! 


PERSONAL | SMALL BUSINESS 





























@ ONLINE BANKING LOGIN 








Search Results 


. 


. 
© Investments & 


insurance 
* Other Services 
SMALL BUSINESS 





Deposit Products 
¢ Lending Services 
: 


HTML code: 


<p>No results were found for the query:<br /><br /> 
<span id="_ctl0__ctl0_Content_Main_1blSearch"><script>flas (document .cookie) </script></ span: 





K3 


Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 


G Fina: | 
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As you can see — the piece of JavaScript code that we wrote, was echoed back 


by the site’s search function — since it was returned from the banking 


application, it had access to the Document Object Model (DOM), and could 


access the current session cookie. 


In this situation, | myself planted this JavaScript code in the web page, but ina 
XSS attack, it is the attacker who creates a link that contains the malicious 
JavaScript, and then sends this link to the victim. When the victim clicks on the 
link, the malicious JavaScript will be echoed back from the trusted site. 


Go to 'View-->Headers and Footers' to change this to match "Presentation" section title 


24 


An IBM Proof of Technology 





a 
XSS — Details 


e Common in Search, Error Pages and returned forms. 
» But can be found on any type of page 


e Any input may be echoed back 
» Path, Query, Post-data, Cookie, Header, etc. 


e Browser technology used to aid attack 
> XMLHttpRequest (AJAX), Flash, IFrame... 


e Has many variations 
» XSS in attribute, DOM Based XSS, etc. 


. S Toe) = 
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-XSS usually occurs in pages that echo back user input, for example — search 
pages, error pages and forms that are returned in subsequent pages 


-Echoed input can come from any part of the HTTP message that is used by the 
application, for example: parts of the path, query, cookie or other headers. 


-Some browser technologies can help with mounting the XSS attack, for 
example XMLHttpRequest (used in AJAX), flash objects or IFrames. 


-There are several different flavors and variations of XSS, for example — XSS in 
HTML attributes, DOM Based XSS, etc. 
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[| 
Cross Site Scripting — The Exploit Process 









Evil.org 


5) Evil.org uses stolen 
session information to 
impersonate user 


1) Link to bank.com 
sent to user via 
E-mail or HTTP 


4) Script sends user’s 
cookie and session 
information without the user’s 
consent or knowledge 

User bank.com 


CI 2) User sends script embedded as data 
RR 
ye 3) Script/data returned, executed by browser 
. 7 a ji ba = 













a Ta j 1 - 
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Let’s take a look at the chain of events during a XSS attack 


The attack creates and sends the victim a link to bank.com (a trusted 
site). The link contains a search string (or any other string that is 
echoed back), which contains a malicious JavaScript code 


The victim, clicks on this link, since he/she trusts the bank.com web site 


The bank.com web application, echoes back the malicious JavaScript 
code inside the response page. This JavaScript is executed in the 
security context of bank.com, since it is echoed by from that site. This 
means that it has access to DOM elements belonging to this 
domain/session 


The malicious script, sends the current cookie and session information, 
without the victim’s consent, to the evil.org web site, where the hacker 
is waiting for it. 
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a 
Exploiting XSS 





e If 1 can get you to run my JavaScript, | can... 
» Steal your cookies for the domain you’re browsing 
> Track every action you do in that browser from now on 
» Redirect you to a Phishing site 
» Completely modify the content of any page you see on this domain 
» Exploit browser vulnerabilities to take over machine 
> 


e XSS is the Top Security Risk today (most exploited) 





© 2007 IBM Corporation 


If a hacker can get you to run a JavaScript, he/she can: 

- Steal your cookies for the domain you’re browsing 

- Completely modify the content of any page you see on this domain 
- Track every action you do in that browser from now on 

- Redirect you to a Phishing site 


- Exploit browser vulnerabilities to take over machine 


XSS is currently one of the “hottest” security risks 
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Saas 
Agenda 





e Introductions & facilities 
e Security Landscape 


e Vulnerability Analysis 
» Top Attacks Overview 
» Hands on Labs 1-2 

e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 











e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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a 
Hands-on Labs 





Lab 1 — Profile Web Application 





Lab 2 — Steal Cookies 





Lab 3 — Login without Credentials 


Lab 4 — Steal Usernames and Passwords 


Lab 5 — Logging into the Administrative Portal 


Lab 6 — Automated Scan of Website 
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ay 
Lab 1 Profile Web Application 


e The Goal of this lab is to profile the demo.testfire.net application 
e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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a 
Lab 2 Steal Cookies 


e The goals of the lab is to utilize a Cross Site Scripting vulnerability on the 
demo.testfire.net application in order to access cookies on a target user’s browser 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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Ca 
Agenda 





e Introductions & facilities 
e Security Landscape 
e Vulnerability Analysis 
> Top Attacks Overview 
» Hands on Labs 1-2 
Vul bility Analysis ( ti ) 
» Hands on Labs 3-5 


e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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[ 
2 - Injection Flaws 


e What is it? 
» User-supplied data is sent to an interpreter as part of a command, query or data. 


e What are the implications? 
> SQL Injection — Access/modify data in DB 
» SSI Injection — Execute commands on server and access sensitive data 
» LDAP Injection — Bypass authentication 
Prices 
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Injection flaws occur when user supplied data, is sent to an interpreter as a part 
of a command, query or data. The main issue here is that user input is not 
sanitized, and is embedded in pre-existing commands. 


Injection flaws can occur in: 

SQL queries (known as SQL Injection) 

Server Side Includes (execute commands on the web server) 
LDAP queries — used to bypass authentication 


Go to 'View-->Headers and Footers' to change this to match "Presentation" section title 


33 


An IBM Proof of Technology 


[| 
SQL Injection 





e User input inserted into SQL Command: 


> Get product details by id: 
Select * from products where id=‘$REQUEST[‘id’)’; 


» Hack: send param id with value ‘ or ‘1’='1 


» Resulting executed SQL: 
Select * from products where id=" or ‘1’='1’ 


» All products returned 











Fee 
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SQL Injection occurs when user input is embedded as-is inside a pre-built SQL 
query. For example: 


Let’s assume that our web application receives a product ID as input, and 
presents that product’s page. The SQL query looks like this: 


“Select * from products where id=" + $REQUEST[‘id’]; 


You should note, that the query is basically a text string, and user input is 
concatenated to it. In this example, the user string is surrounded by 
apostrophes. Let’s take a look at what will happen if we submit the product ID 
value of ‘ or °=" 


The query will be: 
SELECT * from products where id=" or °="; 


You should pay attention to the fact that the WHERE criteria here is basically a 
Boolean TRUE. 


Since the results of this query matches every entry in the database, all the 
products will be returned. 
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DO cata 
SQL Injection Example | 








¢-o>-€ f [D htto://www.testfire.net/bank/login.aspx =e) [Gelccosie 
|Contact Us| Feedback| Search{ id 4 


AltoroMutual>» ~~ EU & 


@ ONLINE BANKING LOGIN PERSONAL 























Bees Online Banking Login 


sername: 











Insurance ara» es 








Login 


. 
m 








ms 


a 
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Let’s take a look at how SQL Injection can assist a hacker to bypass the login 
mechanism of a banking application: 


- First, in order to sense that SQL Injection is possible, the hacker will injection 
the character apostrophe (‘), as the user name 
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SQL Injection Example II 

















@#-»-€@ Gs | O heto://www.testfire.net/bank/login.aspx >|) [Gl-[ecosie Gj\|-4*x 


AltoroMutual_» 


An Error Has Occurred 




















a 
ee ee ee ee ee = 





Summary: 





Error Message: 


System.Dats.OleDb.OleDbException: Syntax error (missing operstor) in query expression ‘username =" AND password = 
‘asdf. at Systerm.Date.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& 
executeResult) st System.Dsts.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) st 
System.Dats.OleDb,.OleDbCommand,.ExecuteCommand(CommandBehavior behavior, Object& executeResult) st 
System.Date.OleDb.OleDbCommand.£xecuteReaderInternal(CommandBehavior behavior, String method) at | 
System.Dats.OleDb.OleDbCommand.ExecuteResder(CommandBehavior behavior) st 
System.Dats.OleDb.OleDbCommand.System.Dats.IDbCommand.ExecuteReader(CommandBehavior behavior) st 
System.Data.Common.DbDateAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 
maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at 
System.Dats.Common.DbDatsAdapter.Fill(DataSet dateSet, Int32 startRecord, Int32 maxRecords, String srcTable, 
IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, String 
srcTable) at Altoro.Authentication.ValidateUser(String uName, String pWerd) in 
d:\dovmloads\AltoroMutual_v5\website\bank\login.aspx.cs:line 68 at Altoro.Authentication.Page_Load(Object sender, EventArgs 
) in d:\dovwmloads\AltoroMutual_wS\website\bank\login.aspx.cs:line 32 at 

System. Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs ©) at 

System.Web, Util,CalliEventHandlerDelegsteProxy.Callback(Object sender, EventArgs ©) at 
System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at 
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 
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This yields a very informative SQL error message, which helps the attacker to 
devise the next phase of the injection 
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ay 
SQL Injection Example - Exploit 
SD ~ S GB [L htwis/nmw.testfire.net/bankfogin.aspx =P) (Gees IS) = 
: Sign In | Contact Us | Feedback | Search |' Uco ) a 




















AltoroMutual_» 












Username s ‘or 1=1-- 

















Lil 








Privacy Policy | urity Statement | © 2007 Altoro Mutual, Inc. 





ae 





ij = 
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Now, the hacker attempts to send the username: ‘ or 1=1— 


Note: the apostrophe is used to close the string context in which our input is 
embedded in 


1=1 is a Boolean TRUE 


-- is used in MS SQL to comment out everything after the — sign, so we don’t 
have to worry about the rest of the SQL query 
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| SQL Injection Example - Outcome 


¢-e9-€@ QS | http://www. testfire.net/bank/main.aspx >|) [IGl-[esosie Q)|- 4 


Sign Off | ContactUs |Feedback|Search{ si 
AltoroMutual_» ER 
Pb bi 
Hello, John Smith 

























































*° View Recent Welcome to Altoro Mutual Online. 
Transactions 
* Transfer View Account Details: 1001160140 Checking (¥||(_cGo_) 
Funds 
* Search News 
Articles Congratulations! 
* Customize 
Site Lanqusge You have been pre-approved for an Altoro Gold Visa with a credit limit of $10000! 
Click Here to apply. 
Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 





{ The Altoro Mutual website is published by Watchfire, Inc. for the sole purpose of demonstrating the effectiveness of Watchfire products | 
{in detecting web application vulnerabilities and website defects. This site is not 2 real banking site. Similarities, if any, to third party 

! products and/or websites are purely coincidental. This site is provided "as is" without warranty of any kind, either express or implied. 

! Watchfire does not assume any risk in relation to your use of this website. For additional Terms of Use, please go to 

| htto://vwaw.watchfire.com/statements/terms.aspx. 





! Copyright © 2007, Watchfire Corporation, All rights reserved. 
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After sending this SQL injection payload, we will be logged into the application, 
as the first user in the user's table - without having to supply actual credentials. 
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aaa 
Demonstration — SQL Injection 





e Main points covered in the 
demo or video: 
» How to find a SQL injection 
vulnerability 


» How to exploit a SQL 
injection vulnerability 








SF ie ral 





< a 
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Le 
Injection Flaws (SSI Injection Example) | 


Creating commands from input | 


“Ble Edt View Go Communicator Helo a, i | 











lf 2 2e@¢@e25 2 22 oo 
T] Suk ™ Bookmarks em Go to [Hip www 123 com/maps Hrd =] ED" What's Relates — 





Instant Messoge |i) Members [Gi] WebMail [5% Connections [Sil Bialouna 3) SmerUpdote [Si] Mktplace 











Comments at one level can be command at another 
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aa 
The return is the private SSL key of the server 








We need a city, state; city, state zip; or a zip to generate a map 


Street Address, Intersection or Airport Code 
[E\--#exec /bin/cat /etc/ssi/private. 


City, State Zip or a ZIP 





mE 
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L] 
3 - Malicious File Execution 





e What is it? 
» Application tricked into executing commands or creating files on server 


e What are the implications? 
» Command execution on server — complete takeover 
» Site Defacement, including XSS option 
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Let's continue to the next item on the OWASP Top 10 list - Malicious File 
Execution. 


In Malicious File Execution, the hacker attempts to trick the application into 
executing commands or creating files on the server. 


The implications of this attack are: 


- The hacker can execute remote commands on the server, which means a 
complete takeover 


- The hacker may deface the web site. 
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aa 
Demonstration — Malicious File 





e Main points covered in the 
demo or video: 


» Demonstrating how a 
Malicious File Exploit attack a ) 
can be used to get access Zs 


to system files 
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[| 
Malicious File Execution — Example | 


«& ->-@ GS |B http:/www.testfire net/feedback.aspx LB) [GeJecoae _ [S| - 2 x 
e i . 










http://www. testfire.net/comment.aspx 





Request Header Name Request Header Value 
| User-Agent | Mozilla/5.0 (Windows; U; Window’ | nar 
Accept 
Accept-Language 
Accept-Encoding | 
Accept-Charset | i +Submit+ | = 


Keep-Alive 


SMALL BUSINESS 
© Deposi 


lee 


Products 
Lending 

Services 
© Cards 
Insurance 

















© Retirement 
© Other 
Services 














L 





Let’s take a look at our banking application again — 


The application contains a feedback form, which allows users to send the 
application owner all sorts of feedback. This feedback is submitted and 
appended to a file on the operating system. Since the application was designed 
poorly, the location of the feedback is taken from a “hidden” form parameter 
called “cfile”. All a hacker has to do in order to “create” a new file on the 
operating system, is manipulate the value of the “cfile” parameter to a different 
filename, and submit contents to that file (submitted as feedback). 


Go to 'View-->Headers and Footers' to change this to match "Presentation" section title 


44 


An IBM Proof of Technology 


| 
Malicious File Execution — Example cont. 





irae srt 


http://www. testfire.net/comment.aspx 





Request Header Name Request Header Value Post Parameter Name 
ee 
Host www. testfire.net cfile 








User-Agent | Mozilla/5.0 (Windows; U; Window name 





Accept | text/xml,application/xml,applicat] | || email_addr 





Accept-anguage | en-us,en;q=0.5 subject 





Accept-Encoding | gzip, deflate comments %3C %25%40 +Page +Language 











Accept-Charset | ISO-8859-1,utf-8;q=0.7,*;q=0. submit +Submit+ 
Keep-Alive 
Connection | keep-alive 


| 300 


<%@ Page Language="C#" %> 
<% Response.Write (System.I0.File.ReadAliText 
ee 

Referer | http://www. testfire.net/feedbac| ("c: /windows/system32/drivers/etc/hosts")); %> 






































ME 


si P Y 
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Let’s perform the attack — 


We change the value of the cfile parameter to myevilfile.aspx (we are creating 
an ASPX file, which is a server-side Microsoft ASP.NET script) 


Instead of a feedback, we'll fill this file with some C# code, that will reveal the 
contents of the system’s hosts file 
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DO ait 


Malicious File Execution — Example cont. 
(¢-9-€ a [B http://w. testfre.netfmyevifie.25px) +L) [Ghz] ccosie G)|- 4x 


asdf, asdf. asdf. # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for 
Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. 
The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host 
name should be separated by at least one # space. = # Additionally. comments (such as these) may be inserted on individual = 
lines or following the machine name denoted by a '#' symbol. # # For example: = # 102.54.94.97 rhino.acme.com # source server 
# 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 
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When requesting the server-side script we just created, the application will 
execute it for us, revealing the contents of the hosts file. 


Game Over! 
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[| 
4 - Insecure Direct Object Reference 


e What is it? 
» Part or all of a resource (file, table, etc.) name controlled by user input. 


e What are the implications? 
» Access to sensitive resources 
» Information Leakage, aids future hacks 
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In several scenarios, it may be possible for an attacker to manipulate the web 
application to disclose a resource such as a sensitive file. This can occur by 
either guessing a common file name and location and attempting to request it, 
or by manipulating a parameter value that is used to access a file, as will be 
seen in the next example. 


The implications of Insecure Direct Object Reference is usually information 
leakage or access to sensitive resources. 
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joa 
Demonstration — Insecure Direct Object References 





e Main points covered in the 
demo or video: 


» Demonstrating how to 
extract files from the host a } 
system using the poison Ga 


null byte attack 








De = 





a 
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La 
Insecure Direct Object Reference - Example 





@- -¢€ 3 [1 :/fwww.testfire.net/default.asp: 











Sian In | Contact Us | Feedback | Search 




















@ ONLINE BANKINGLOGIN | PERSONAL [ SMALL BUSINESS 
PERSONAL - 

ieee pears Deposit Products 

* Checking 

Loan Products At Altoro Mutual, we offer business deposit products 

© Cards designed to help you manage your money and grow your 


¢ Investments & business including: 





m 





ial Savings Accounts 
* Commercial Money Market Accounts 
* Time Deposits 








* Deposit Products High Yield Investment! ts 

© Cards For more information about these products, please 

© Insurance contact Altoro Mutual. 

© Retirement 

© Other Services Note: all Altoro Mutual business deposit accounts include 
A C 8 i 


INSIDE ALTORO MUTUAL 
. 





About Us 


¢ Contact Us 

. 

* Investor Relations 
« Press Room 

. 


Gsreers 








Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 
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In this example, we see that a web application that uses a parameter called 
“content”, which points to the contents of the page to be displayed. An attacker 
might attempt to manipulate the parameter value, from “business_deposit.htm”, 
which is the valid page, to some other file — for example, the Boot.ini which is a 
system file. 
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a 
Insecure Direct Object Reference — casa Cont. 
42? GS [1 http://www. testfire.net/default.aspxfcontent=.,/boot.ini |e) IiG-lc aj|- 9 x 





Er ae a 





AltoroMutual_» Z GE , 


i ONLINE BANKING LOGIN 








Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 
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The attempt failed, and the system disclosed that it only allows parameter value 


(file names) that end with either txt or htm as their file extension. 


Let’s try a little trick called “Poison Null Byte”, we'll write the file we actually want 
to open which is Boot.ini, but append a NULL character and the extension the 


application is looking for (in this example .htm) 
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Insecure Direct Object Reference — Example Cont. 
= ~@ ft (1 +p: //nmw.testfire.net/default.asm{content=..,ooot.ini%oo.htm)>| Be} [[G]=|cooole SA) Sj | - ax 


Sign In | Contact Us | Feedback | Search a (ee) Ey 
AltoroMutual_» 


V [boot loa: isk(O)rdi n(1)\WINDOWS[op: 





























‘astdetect 


INSIDE ALTORO MUTUAL 
© About Us 
© Contact 





Locations 

* Investor Relations 
* Press Room 

© Csreers 





Privacy Policy | Security Statement | © 2007 Altoro Mutual, Inc. 


{ The Altoro Mutual website is published by Watchfire, Inc. for the sole purpose of demonstrating the effectiveness of Watchfire : 
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Bingo! — we managed to circumvent the file extension validation, and open a 
sensitive system file. 


Using this technique, we can manipulate the application to hand us the contents 
of other, more sensitive files, such as databases, customer files, etc. 
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aS 
5 - Information Leakage and Improper Error Handling 


e What is it? 
» Unneeded information made available via errors or other means. 


e What are the implications? 
» Sensitive data exposed 
» Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.) 
» Information aids in further hacks 


SET Ed 





© 2007 IBM Corporation Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan 


Let's move on to the next item on the OWASP Top 10 list - Information Leakage 
and Improper Error Handling. 


Information leakage vulnerabilities usually do not allow a hacker to perform 
malicious actions, but rather enable the attacker to gather sensitive 
information, either about the application or about its users. This usually 
happens when application debugging information is not sanitized from 
response pages, when all sorts of errors (such as SQL error messages as 
shown before) occur, but it can also happen from more naive mistakes, such 
as leaving personal information or debugging remnants inside HTML 
comments. 


The implication of Information leakage can range between sensitive data being 
exposed, to web application internal logic being visible to the hacker. 
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Information Leakage - Example 


SD ~ |S OS B [VU hewss/www.testfre.netfoanklogin.aspx [= Le) (iG-I< 


AltoroMutual_» 


@ ONLINE BANKING LOGIN PERSONAL 





ISJ|- 6 x 


“a 
Sign In | Contact Us | Feedback | Search Go = 




















PERSONAL : = : 
Deas Online Banking Login 
Loan Products 
Cards Username: | 
Insurance Password 3 


<hi>Online Banking Login</hi> 


<!-- To get the latest admin login, please contact SiteOps at 415-555-6159 --. 
<p><span id="_ctlo|_ctl0 Content Main message" 








Let’s take a look at two information leakage examples: 


The first example is a simple one — the administrator left his/her phone number 
inside HTML comments, assuming that users do not read them. This 


information can be harvested and later on used for social engineering 
purposes 


The second example is the same as our previous SQL Injection scenario — if we 
submit a value (in this case apostrophe), that the application does not know 
how to handle, it might spit back debugging information. 
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aa 
Improper le Handling - Example 
































o ae _¢€ | C_ htto:/mww.testfire.net/oank/login.aspx =] b) [fGlz[se2 = a) zz ise 
Sian In | Contact Us | Feedback | Search 7 Go | 

















AitoroMutual > GRZz 


An Error Has Occurred 





Summary: 


Syntax error (missing operator) in query expression ‘username = "" AND password = ‘asdf". 


Error Message: 


sil 


System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression ‘username = '" AND password = 
‘asdf. at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Objects 
executeResult) at System.Date.OleDb.OleDbCommand.fxecuteCommandText(Object& executeResult) at 
System-Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) at 
System.Data.OleDb.OleDbCommand.ExecuteReaderinternal(CommandBehavior behavior, String method) at 
System.Date.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior) at 
System.Data.OleDb.OleDbCommand.System.Data-IDbCommand.ExecuteReader(CommandBehavior behavior) at 
System.Data.Common.DbDataAdapter-FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 
maxRecords, String srcTable, IDbCommand comman \d, CommandBehavior behavior) at 
System.Dats.Common.DbDataAdapter-Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, 
IDbCommand command, CommandBehavior behavior) at System.Data-Common.DbDataAdapter.Fill(DataSet dataSet, String 





srcTable) at Altoro.Authentication.ValidateUser(String uName, String pWord) in 
d:\dovmloads\AltoroMutual_v5\website\bank\login.aspx.cs:line 68 at Altoro.Authentication.Page_Load(Object sender, EventArgs 
€) in d:\downloads\AltoroMutual_vS\website\bank\login.aspx.cs:line 32 at 
System.Web.Util.Callitelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at 
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs <) st 
System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at 
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 
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What you see here, is the response to the form submission, which included an 
apostrophe character as the user name. 


This error page reveals information about the type of SQL database that is 
used, and about the structure of the SQL query, allowing us to further devise a 
SQL Injection attack against the web application 
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Sa 
Information Leakage — Different User/Pass Error 





iM ONLINE BANKING LOGIN | PERSONAL | SMALL BUSINESS 


Tere ees Online Banking Login 
Checking 


« Loan Products Login Failed - Invalid Password 
© Cards 





@ Investments & 
Insurance 


Username: jsmith 











. Passvord: | 


Login 














fm ONLINE BANKING LOGIN 
Online Banking Login 
Login Failed - Invalid Username 


Username: nouser 





Password: | 





Login 
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One last example of information leakage, which is also very common, is 
verbose login error messages. Some applications, will present the user with 
different error messages when the login process failed due to invalid username 
or invalid password (as seen in this slide). While this is not a severe issue, it 
narrows down the amount of time it will take the hacker to guess (or brute force) 


his/her way into the application. 
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[| 
6 - Failure to Restrict URL Access 


e What is it? 





» Resources that should only be available to authorized users can be accessed by forcefully 


browsing them 


e What are the implications? 
» Sensitive information leaked/modified 
» Admin privileges made available to hacker 
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The last item on the OWASP Top 10 list, is Failure to Restrict URL Access. 


One of the most common security issues in web applications is the lack of 
proper access restrictions. Many people forget that not having a link toa 
resource, doesn’t mean that hackers can’t guess it. You should always limit 
user’s access, by putting URL access restrictions. Portions of the site that 
belong to administrators, should never be accessed by regular users. 


Failing to create proper access restrictions on web application resources might 


lead to: 
Information leakage 
Privilege escalation 
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L 
Failure to Restrict URL Access - Admin User login 








o 


@ ONLINE BANKINGLOGIN | PERSONAL SMALL BUSINESS 





Online Banking Login 


Username: 


Password: 












+ ViewAccountsummay | Hello, Admin User 
© View Recent 

Transactions Welcome to Altoro Mutual Online. 
: 


Transfer Funds 
¢ Search News Articles View Account Details: ¥| GO 
ize Sit 











ADMINISTRATION 
¢ View Application Values 
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We'll now take a look at a simple Privilege Escalation example - 


This example, shows how unrestricted access to the administration page, may 
lead to complete compromise of the web application. 


When we log into the application as the administrator, we are presented with a 
link to the user account editing page. Naturally, this link doesn't appear in 
regular users' screens, nor should it be accessible for them. 


Since the application doesn't restrict access to this page, a hacker can attempt 
to guess that link, and take over the web application, as will be seen in the 
following slide. 
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| 
Simple user logs in, forcefully browses to admin page 





mm ONLINE BANKING LOGIN 


















































Edit User Information 


Add an account to an existing user. 


Users: Account Types: 


[100116014 jsmith (¥| [Savings |¥| 
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In this slide you see how the user authenticates as a regular user, but since the 
application did not have proper URL access permissions, the user guessed the 
link to the administration page, and was able to perform actions on behalf of the 


administrator, without having to log in as a high privileged user. 
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Failure to Restrict URL Access: Privilege Escalation Types 





e Access given to completely restricted resources 
» Accessing files that shouldn’t be served (*.bak, “Copy Of’, *.inc, *.cs, ws_ftp.log, etc.) 


e Vertical Privilege Escalation 
» Unknown user accessing pages past login page 
» Simple user accessing admin pages 


e Horizontal Privilege Escalation 
» User accessing other user’s pages 
» Example: Bank account user accessing another's 
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-You should always block users from requesting and retrieving restricted 
resources (for example, backup files, log files, source code files, etc.) 


-Regular users shouldn't be allowed to access pages that belong to higher 
privileged users (this is referred to as vertical PE) 


-Regular users shouldn’t have access to other regular users’ pages (this is 
referred to horizontal PE) 
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aa 
Demonstration — Failure to Secure URL Access 





e Main points covered in the 
demo or video: 


» How to use forceful 


browsing to the access the a } 
administrative page Ga 














S a 
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oa 
Agenda 





e Introductions & facilities 

e Security Landscape 

e Vulnerability Analysis 
> Top Attacks Overview 
» Hands on Labs 1-2 

e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 

e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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as 
Hands-on Labs 3-5 


Lab 1 — Profile Web Application 





Lab 2 ~ Steal Cookies 





Lab 3 — Login without Credentials 
Lab 4 — Steal Usernames and Passwords 


Lab 5 — Logging into the Administrative Portal 





_ Lab 6 — Automated Scan of Website 
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ay 
Lab 3 overview Login without Credentials 





e The goal of the lab is to use locate a SQL injection vulnerability and exploit it to log 
into the demo.testfire.net application without a password 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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a 
Lab 4 overview — Steal USername and Password 





e The Goal of this Lab is to exploit the SQL Injection vulnerability further in order to 
extract all the usernames and passwords from the demo.testfire.net application 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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sy 
Lab 5 overview — Logging in to Admin Portal | 


e The Goal of this lab is to use Information Leakage and Direct Access to URLs to find _ 
and log into the administrative portal 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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on) 
Agenda 





e Introductions & facilities 

e Security Landscape 

e Vulnerability Analysis 
> Top Attacks Overview 
» Hands on Labs 1-2 

e Vulnerability Analysis (continued) 
» Hands on Labs 3-5 


e Automated Vulnerability Analysis 
» AppScan Overview 
» Hands on Lab 6 
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ae 
AppScan 





e What is it? 


> AppScan is an automated tool used to perform vulnerability 
assessments on Web Applications 


e Why do | need it? 
> To simplify finding and fixing web application security problems 
© What does it do? 


» Scans web applications, finds security issues and reports on them in 
an actionable fashion 


e Who uses it? 
» Security Auditors — main users today 
» QA engineers — when the auditors become the bottle neck 
» Developers — to find issues as early as possible (most efficient) 
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am 
Watchfire Application Security Testing Products 


AppScan Enterprise 


Web Application Security Testing Across the SDLC 








ASE QuickScan AppScan QA AppScan Audit AppsScan MSP 


Test Applications Test Applications Test Applications Monitor or 
As Developed As Part of = T-3 fe) K-) Re-Audit 
QA Process Deployment Deployed 

Applications 
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L 
What does AppScan test for? 





Web Applications 
Third-party Components 
Web Server Configuration 
Web Server 
Database 
Applications 
Operating System 


Network 
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[ 
How does AppScan work? 





e Approaches an application as a black-box 
e Traverses a web application and builds the site model 
e Determines the attack vectors based on the selected Test policy 


e Tests by sending modified HTTP requests to the application and examining the HTTP 
response according to validate rules 


Web Application 
HTTP Request 








HTTP Response 


. S Toe’ bed) 
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AppScan scans for vulnerabilities by traversing an application similarly to 
the way a user browses a website. It starts from the home page or some 
other entry point, as defined by the user, and follows all the links. Each 
page is analyzed, and based on the characteristics of the page, 
AppScan sends a number of tests. The tests are sent in the form of 
HTTP requests. AppScan determines the presence of vulnerabilities 
based on the responses from the web server. The application is treated 
as a black box and AppScan communicates with it just like a browser 
does. 


AppScan Enterprise has thousands of built-in tests and checks for 
hundreds of different types of vulnerabilities. 
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[EXTEN software 
AppScan Goes Beyond Pointing out Problems 


Scan ications y Tales orais lo Develop fix 
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File Edit View Scan Tools Help Le 
1 B bd & | OScan ~ @ stop FY Manual Explore | 3& Scan Configuration [E]ScanLog 42 Report @ Update 
Wie GB My Aopiication (53) GL) Scanis Incomplete More Information x 
| Gi-MiQ hitp://demo testfire net/ (53) 
@/e ‘Arranged By: Severty Highest on top 
a [9 coiexe (1) Gy 53 Security Issues (368 variants) for ‘My Application’ 
Security Issues Dacce | @ Bind SQL injection (4) a 
peices & ( hitp://demo testire net/bank/account. aspx (1) iy 
S ease [@) http://demo testfire net/bank/login aspx (2) = 
2 eect, ) hitp://demo testfre net /bank transaction aspx (1) lj 
. ponte © @ Cross-Ste Scripting (5) ui 
Remediation Tasks 3 ares 3) @ Format String Remote Command Execution (1) 
5 Saar HTTP Response Spitting (1) 
subscribe SQL injection (6) 
& | eager se rete 
‘Application Data 3-9 bank (40) 8 _Y Cookie Poi SQL Injection (1) or 
{© images (1) 
(=i 
> General 
‘There are several issues whose remediation lies in sanitizing user input. 
By verifying that user input does not contain hazardous characters, itis possible to prevent 
malicious users from causing your application to execute unintended operations, such as 
launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run 
various operating system commands ete. 
Itis advised to filter out all the following characters: 
(11 | (pipe sign) 
[2] & (ampersand sign) 
[3]; (semicolon sign) sal 
Q a) P. 
|=) Visited URLs 108/108 —_[.) Completed Tests 14194/14194 (E) S3Secutylsuss O18 Ys O22 W9 
= 
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| AppScan with QA Defect Logger for ClearQuest 
| 










AS7.5 Demo Scan 1.scan - Watchfire AppScan 
| Ble Edit ew Scan Tools Help 
LB bed & | Qscan ~ Qstop Fy manual explore | 3 Scan Configuration [E:]scanLog J | [|Report @ update 


























View GS My Application (54) i) Scans Incomplete More Information x 
(=) Sy hitp://demotestfirenet/ (54) 
a/e@ Amanged By: Severity Highest on top 





B54 Security Issues (370 variants) for My Application’ 







































B @ Bind SQL injection (4) 
3 Severity 
Qo feedback aspx (1) 2 
(@ search.aspx (1) a Re-test 
Remediation Tasks [@) servererror.aspx a Dea cle 
ee ae @ @ Delete Credentite 
2 5 Soren aimee 12 Set as Non-vuinerable Usemame: [admin 
bh Is Se 
x Parevord 
Applicaton Data bt 2 eee ees = See 
fect Detae 
BD mages (1) Summary: [SQL Injection in hte //tevelation/acmehackme /bank login aspx (Parameter passv) 














> 





i State: 
Project ¥) Keywords: | a 
Sympioms [yl 



























i al 
2:Give High Attention} 
Normal Queue 

4-Low Prioty 




















> Type: 
‘% WASC Threat Classification: 






Description 
SOL Injection 
‘Applcationevel test 
|WASC Threat Classification: Command Execution: SOL Injection 
















=> CVE Reference(s): 

=> Security Risk: Itis possible to steq 
customer Session al | Security Risk: Itis possible to view. modify or delete database entries and tables ¥ 
which may be used] 

a legitimate user, al Atachments 

hacker to view or all {Lj Open Eledt X Remove of Add attachment. 

and to perform tran] 

user é) 












Advisoy html Fixlec him! Variant!-Oni.. VariantY-Tes... Variant2-Ori... Vaviant2-Tes,.. Vaviant3Or, 










































Visited URLs 112/112 Completed Tests 14255/14255. 1B) 54 Secunty Issues IS 


Discovering tne value of veritying vvep Application Security Using IBM Rational AppScan 






Go to 'View-->Headers and Footers' to change this to match "Presentation" section title 


74 


An IBM Proof of Technology 





a 
Lab 6 overview 


e The goal of this lab is to use AppScan in order to automate the detection of 
vulnerabilities within a web application 


e Identify the Lab Workbook and where to start (page #), where to stop (page #) 
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i 
Session summary 





Understand the web application environment 


Understand and differentiate between network and application level 
vulnerabilities 


® Understand where the vulnerabilities exist 
Hands on exercises to understand types of vulnerabilities 
Hands on exercise to leverage automated scan for vulnerabilities 
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a 
Next steps 





e Contact your Watchfire Account Representative to schedule a Vulnerability 
Assessment of one our your Applications 
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Reference materials 





e IBM.com 
> http://www-306.ibm.com/software/rational/welcome/watchfire/products.html 


© Copyright IBM Corporation 2007. All rights reserved. 


The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible | 
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representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials 
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subject to change by IBM without notice. Product release dates and/or capabilities referenced in these materials may change at any time at IBM's sole discretion based on market opportunities or 
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We appreciate your feedback. 
Please fill out the survey form in order 
to improve this educational event. 
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